Understanding CMMC – The New Standard
If you deal with the Department of Defense, you need to know about the Cybersecurity Maturity Model Certification (CMMC). It’s a new standard for securing data that you must follow if you are handling sensitive information, regardless of whether that it’s classified. If you don’t follow CMMC, you won’t get DoD contracts or pick up work as a subcontractor or supplier.
The big difference with CMMC compared with previous standards and rules is responsibility. Previously, contractors were responsible not only for implementing adequate cybersecurity but also for assessing and verifying they had done so. Under CMMC, contractors remain responsible for meeting the rules but now independent third-parties must assess compliance. Prime contractors are responsible for making sure everyone in the supply chain for a particular contract has an appropriate CMMC certification level for the work they’ll perform.
CMMC also brings a clear five-level structure covering increasing degrees of cybersecurity. The levels are as much about principles and outlook as specific measures. The idea is that have an ongoing process of moving up the levels, hence the inclusion of “maturity” in the name. Businesses will need to pass the assessment for each level in turn rather than applying directly for a higher level.
Each DoD contract will have a required CMMC level which a contractor must meet before they are eligible to bid. Level 1 certification is mandatory for any contract involving Federal Contract Information, while the level required for Controlled Unclassified Information will vary depending on the nature of the information.
The assessment is a bit of an alphabet soup as it will be carried out by independent CMMC Third Party Assessment Organizations (C3PAO for short.) These organizations will get their status from another independent body, the CMMC Accreditation Body (CMMC-AB). The CMMC-AB will also oversee the CMMC Assessors and Instructors Certification Organization (CAICO), which will train assessors.
Once your organization passes the assessment, it will get a CMMC certificate that’s valid for three years. The fact you have a certificate is public knowledge. The level you achieved and the specific feedback from the assessment isn’t public knowledge but will be accessible by the DoD.
There’s no longer any form of self-assessment when it comes to cybersecurity practices for DoD contractors. However, the DoD does publish its assessment guides and says it’s useful for contractors to run through the checklists themselves before booking a formal assessment. This may uncover issues that are easy to fix beforehand.
In general terms, Level 1 assessments are purely objective and checklist based while levels 2 and above involve more subjectivity and human evaluation of procedures:
- Level 1 covers performing basic cybersecurity measures.
- Level 2 involves intermediate measures and documenting procedures.
- Level 3 raises the security bar to “good” and requires evidence of managing the security set-up.
- Level 4 requires proactive security measures and a review process.
- Level 5 means optimized security processes and advanced measures.
Because of the subjective element, there will be an adjudication process if a business disagrees with an assessor’s decision.
The cost of assessments will depend largely on the level the business is applying for and the complexity of the business’s network. There’ll be an element of price competition between different assessors, with businesses hiring them through a central marketplace.
If you’d like to know more about CMMC and how we can help improve your cybersecurity, call us today for more details.